Good question @DougiUK84, I haven't heard much about GDPR and GoDaddy but a bit of background for those not familiar. GDPR is a regulation designed to protect the privacy of European Union citizens and residents. It will apply to all companies that handle data about EU residents, not just companies based in the EU. The GDPR goes into effect in May 2018.
While I believe GDPR will change how certain information appears in the Whois, this is not however a sweeping change. Specifically GDPR is not designed to change the Whois information for those not in the European Union (EU). Global companies often have a compliance mix when it comes to privacy. Certain TLDs are displayed differently in the Whois, have different registration rules... I suspect that GDPR will be implemented in a similar fashion?
All that is to say "I have no clear idea" but I'm sure that there would be some account auditing going on to comply with these regulations? I hope that helps?
roy darling *my posts seem a lot shorter in my head
Thanks Roy. Much appreciated.
I am actually mainly thinking of the hosting and databases in the Paralels environment. Under GDPR the data processor (us as developers) are responsible for sub-processors (such as GoDaddy). So I was hoping to find some information that would satisfy me that hosting on GoDaddy is still a viable solution for any data controllers or data processors who operate with PII (personally identifiable information) of users who reside within the EU. Operations outside the EU will be required to comply with GDPR if they are to operate with EU nationals as I understand it currently. So this would affect any companies or individuals who have EU users in databases etc.
I was assuming that GoDaddy would have documentation prepared to this end, but couldn't find it. If anyone knows of any such documentation it would be greatly appreciated if you might please point me to it.
If you have business dealings with GoDaddy that will be impacted I anticipate that you will be contacted @DougiUK84? I have myself been alerted from several companies of the GDPR changes. I have not seen official documentation from anyone about this, I suspect that compliance documentation is in the works though?
roy darling *my posts seem a lot shorter in my head
After speaking with Argel at GoDaddy on the topic of GDPR compliance - the servers for GoDaddy are located in the USA. This will not be allowed under the new regulations starting May 25th, 2018
If using the website builder, GoDaddy does not allow for any alternative to move the data to an EEA location.
If a user subscribes to cPanel, an EU server location can be selected but does not allow for the ease of website creation through the website builder.
I believe that it's possible to host outside the EU, but one needs to have safeguards in place:
"You can still host your IT with providers outside of the EU, but you will need to ensure that these providers have safeguards and security measures in place that meet the GDPR standards in order to remain compliant if you are handling EU citizen data."
As I understand it GoDaddy don't have an DPA (Data Processing Addendum) to cover this.
I believe that therefore this means that no company (anywhere in the world) can legally use GoDaddy for hosting if they hold PII for any EU citizens.
Without question this is a messy topic at the moment.
Yes, it is possible to send out of the EU, but there are more restrictions imposed.
Previously called Safe Harbour Agreement, the EU-Privacy shield allows US organisations to register with the US Department of Commerce to allow handling of PII of UK citizens.
The DoC lists all of the registered organisations here, which shows that GoDaddy is registered:
(if the link is broken, a search can be made to look for GoDaddy)
I have not yet looked at the security measures in place by GoDaddy, which ideally would be ISO27001 certification. However, the current guidance from the ICO has not yet formulated a fixed standard for this. Considering the number of customers that GoDaddy would lose, I'm very surprised that this information is not more readily available, especially when asked of GoDaddy. This would have saved a lot of time hunting for new website building solution!
The E.U-U.S and Swiss-U.S. Privacy Shield Frameworks. - this is key for servers in US and godaddy complies
There's a good article by one man on https://www.advancedfictionwriting.com/blog/2018/05/13/gdpr-authors-part-1/. GoDaddy says some things are being added on May 25th, but what? The site that article sends you to is iubenda.com. There are levels of compliance you can get from free to $27/year. Not terrible expensive, but I'm a novelist not a computer tech. I have zero idea what I'm looking at or what I need. What I need is for someone to say, "Get A, B C and forget D." lol
Thanks for sharing that link, Ane. That's actually the simplest set of blog instructions I've seen so far - and I'm an author and a techy person.
I actually have some other info from my writers association:
It really is quite simple. The thing that affects most of us as writers is a newsletter.
If you sell something or offer a free gift and add those who respond to your email list, make it clear up front that that they get the gift in exchange for being placed on the email list.
I am thinking, though, of adding a privacy statement to my website. There are several examples on the web. But doing business on line is still much less trouble than doing it in a face-to-face setting where you have to deal with building codes, local business licenses, sales taxes, state, local, and federal regulations. Sending an email to your list asking them to confirm their subscription is a piece of cake compared to that.
And just because I am honest, doesn’t mean there is not a need for regulations to encourage the same honesty in others.
They added a reference to the DPA in the general terms:
"6. PROTECTION OF YOUR DATA
GoDaddy offers certain hosted Services available to you that may involve the submission, collection and/or use of personally identifying or identifiable information about you and your own customers (“Your Data”) in the course of your use of these Services (“Covered Services”). Your Data, for the purpose of this Section, excludes any User Content. GoDaddy’s Data Processing Addendum (“DPA”), which is hereby incorporated by reference and applicable to Covered Services, is meant to provide you contractual assurance that we have robust mechanisms to ensure the transfer of Your Data, including transfers of Your Data from the EEA to the Covered Services, meets with compliance under applicable data privacy laws.
For the purposes of the DPA and the Standard Contractual Clauses attached to the DPA (when and as applicable), you (and your applicable affiliates) are considered the Data Controller/Data Exporter, and your acceptance of the terms of service governing Covered Services at the time of purchase of any Covered Services will also be treated as your acknowledgement and acceptance of the DPA and its appendices (including the Standard Contractual Clauses and its appendices, as applicable). If you wish to print, sign and return a physical copy of the DPA, please send an email request to email@example.com "